The end of antivirus as you know it?

I read an article on Network World entitled Is desktop antivirus dead? that raised a lot of good points on why the way antivirus programs work needs to be changed. Basically, signature based detection is getting old and needs to go away because there are so many variants created to get around that type of detection. Antivirus vendors need to start looking at white-listing, or behavior blocking, types of protection. A example of software that uses behavior blocking would be Sana Security Primary Response SafeConnect.

An interesting part of the article is what is happening at the antivirus vendor sites trying to push out updated definitions.

The antivirus vendors simply can’t keep up, Jaquith says, noting that some antivirus lab managers privately complain this flood of virus variants, which force signature changes every 10 minutes, adds up to the equivalent of a denial-of-service attack against them.

Being flooded with variants isn’t the only problem. There is also the issue of pushing the updates out and end users downloading the updates. Until the update is downloaded, the end user will remain vulnerable.

The move to white-listing would be an uphill climb. End users, or network admins, would have to configure the software for every program that they wish to be able to run if it is not already in the whitelist. Either you would have to open the antivirus program and manually configure it or have it automatically ask if you want to allow the program to run. How long would it take you to get tired of “Do you really want this program to run?” pop-ups?

What do you think about adding behavior blocking to antivirus programs as the main shield, to prevent viruses from delivering their payload, and signature based rules for virus removal?

Wisdom is the reward you get for a lifetime of listening when you’d have preferred to talk. - Doug Larson

19.Apr.07 Security, Software

You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.

2 Responses to “The end of antivirus as you know it?”

1. dwhit26 | April 19th, 2007 at 6:27 pm

   How long would it take you to get tired of “Do you really want this program to run?” pop-ups?

   A: I know with Zone Alarm asking what programs to allow got annoying after a while. I had that on my mothers computer and she just hit the “accept” button without even reading what was on the alert. There could also be times when you are typing or something and accidently hit allow or deny and screw things up. I think that it would get annoying to have to configure every program you have installed also. Some people have so many programs it would take a day or two of configuring.

2. Cold Drink | April 21st, 2007 at 5:06 pm

   Hueristic detection methods are so much better! Whitelisting is too annoying, and blacklisting is the original problem: how to keep up with the blacklist…

Leave a Reply

Name

Mail (will not be published)

Website